OCB2 is an authenticated encryption mode, similar to the more popular GCM mode, which takes care of producing ciphertexts and tags from plaintext input without the user having to worry about the order in which to encrypt and tag the data (which can cause problems, just ask the people who designed TLS). The paper that introduced it proved that it is a secure mode as long as the underlying block cipher it is used in conjunction with is secure. Recently it has been discovered that there was an error in the proof, and that OCB2 mode is in fact not secure. An adversary can forge a valid ciphertext/tag pair with one call to an encryption oracle. Suppose we call our encryption oracle (using some unknown secret key) with the following plaintext input:

00000000 00000000 00000000 00000080
4f7edcc5 b51dbbba df72b01e c6d626ba

The encryption oracle, using AES as the underlying block cipher (which should imply the security of the scheme given the proof in the initial paper) returns the following data:

Ciphertext
237ced45 6bc5d05b 1003e95a 56b5c42f
8117a934 e1158678 157e06ea 017e9eb3

Tag
13e9219a f42c93c8 020785ac 9c224a22

It turns out that based on this information alone we can forge a tag for the following ciphertext:

237ced45 6bc5d05b 1003e95a 56b5c4af

What is the tag? Submit your answer in lowercase hex (no spaces).

Solution